Veteran’s Administration loses 26.5 million records

A recent report from the Veteran’s Administration (VA) indicates that a data analyst illegally removed the personal records of over 26.5 million former service members from the VA, which was subsequently stolen from the analyst’s residence.  Fortunately, the records did not contain any medical or financial information on every service member that has served this country’s armed forces since 1975.  However, the names, dates of birth, and Social Security Numbers were among the information that has been stolen.  The authorities do not believe that the information was specifically targeted, as there has been a string of burglaries in the analyst’s area of residence.  They also believe that the thief(s) may not even know that they have this particular information.  How the data analyst got the data out of the building is unclear, whether it was on a laptop, USB drive, CD/DVD or some other type of destructive, transportable media.  However, the incident does pose several questions, for me, about the organization’s Information Security policies and procedures.  Especially, if you consider that my name, date of birth, and Social Security Number is included in the 26.5 million other veterans that have been affected.

My first question about this incident is, naturally, what were the motivating factors that allowed this series of events to take place?  If you recall from my previous blog entry, my research for the State of the Threat presentation indicated that there is a growing market for our personal information to be used in identity theft schemes.  With organized crime groups doing all they can to get the SSN’s of innocent people to be used to steal their identities for monetary gains, I have to wonder (pure speculation!) if there was some sort of cooperation between the data analyst and an external entity to have this information removed from the Veteran’s Administration.  With all the talk about the illegal immigration issue, we all know that many of those immigrants are using stolen identities in order to be able to work.  There is a debate going on in the Senate that may end up allowing those same illegal immigrants to keep the Social Security benefits that they paid into by using the stolen identities.  Could the underground market for names and SSN’s (and the finders fees for those numbers) be a motivating factor?

More imporant than the motivators is what security policies were in place that were supposed to safeguard against this type of thing occurring?  By now, most companies or agencies are being regulated by some sort of legistlation, whether it be GLBA, HIPPA, SOX, or NCUA 748, that mandates certain controls be implemented to prevent just this very thing from happening.  Were these safeguards implemented at the Veteran’s Administration?  If they were implemented, were they being followed?  Was there an awareness program in place to inform the employees of their roles and responsibilities in the organization’s Information Security posture?  Has a third party ever performed a risk assessment of the VA’s security posture, to include security policies and business processes?  What was the VA’s policy about USB Drives or other transportable media?  Is there unmitigated access to this type of data, once access is gained to the internal network?

For years, security professionals have been screaming, at the top of their lungs, that the user will always be the weakest link in an organization’s security posture.  Could this incident have been avoided with a comprehensive, standards based Risk Assessment and follow on Awareness Program?  Or, will the theoretical disgruntled employee (I don’t know if that’s the case in this incident) always be the worst fear of any organization?

This incident, or one of the dozen or so incidents that have been reported from some of the largest companies in the world, should put the need for a comprehensive, repeatable, and standards-based, third party risk assessment at the top of the list on every security professional’s mind.  If the thought of being the company or organization that is responsible for the identity theft and ruined credit of 1 person to millions of people doesn’t get the job done, maybe the fines and lawsuits that could ensue if an incident of this nature occurs at your organization, will be the motivator that enables your organization to realize that information security is not just a new buzz word.  It’s a reality….and a necessity.

As for me, I can be found at the nearest credit bureau trying to order my credit report.  OUT OF MY POCKET….NO LESS!!!

Word Attacks Overblown

The press is spending some attention on the Word attacks that took place recently, but we feel much of this is overblown. Sure, two forms of the attack are said to be in use, but there is little public info about them, and certainly no evidence of widespread attacks as of yet.

On WatchDog we have placed the suggestion of using the “winword /safe” command to better protect your organization, but it is likely a patch for the issue is coming in June, and until widespread exploits are available, it is pretty unlikely that most organizations will see any attacks from this.

In the meantime, we suggest treating it like the myriad of unpatched holes in Internet Explorer that occur so often, and use some caution, alert users and help desk folks to be aware of the symptoms. Then, apply the patch when it is released.

Most of all, please do not panic. The risks are not all that high compared to many of the other vulnerabilities common in most enterprises today.

Where is the Malware?

We are left wondering about the Exchange vulnerability. To date, we have seen no malware exploiting this vulnerability on a mass scale. Even public exposure of exploit code has not been made. So, the question is why?

Are attackers holding this back for integration into a multi-exploit attack or did the recent VNC development distract them from the Exchange problem. Only time will tell.

We will keep our eyes open for development on this situation and let you know what we see. In the meantime, make sure you are applying the patch for Exchange and upgrading your VNC servers to the new version. We are seeing wide scans for the VNC problem, and SANS is reporting much attacker activity from this exploit.

Recent State of the Threat Presentation

We, here at MicroSolved, dedicate our lives (yes we work at home, too) to the goal of helping to ensure a safer and more secure Internet for every user that may be inclined to partake in the wonder that is the Internet community. Ideally, we would love to work ourselves out of a job. Fortunately, we know that will never be possible. To that end, we have been providing a service that we like to call the State of the Threat, by which we take a look at the current state of the Internet and report on major events that have affected the community. Additionally, we attempt to make some forward looking guesses about where we think security professionals should expect to see upcoming issues or problems. In doing so, we have been performing quarterly presentations that address the threats that we saw to be of major concern over that 3 month period. During these presentations, we also attempt to guess where we think the hacker community may be investing more and more time toward research for newer attack vectors.

Our most recent State of the Threat presentation was performed this past Friday, May 12, 2006, in Fairmont, West Virginia. I delivered the presentation to the local chapter of InfraGuard, which is an initiative by the FBI to share and gather information with security professionals in the commercial sector. During my research I noticed a trend that appears to be the changing of the playing field that we have all been engaged in. Our presentation usually starts out with some astronomical numbers that represent the increase (or decrease, if that would ever happen) of cyber attacks that were noted during the past quarter. However, I had to depart from that normal format to talk about something that seems considerally more important, and definately more dangerous, if not expensive. After quite a bit of research done by myself and various other security gurus in the business, it is definately obvious that the profile of the most prolific attackers has changed from your everyday hobbyist with a desire to crack boxes and break applications, to attackers with a more devious intent. That’s right….criminals. We are starting to see more and more attacks that are financially driven. Unless you have some very good mail filters in place on your mail servers and in your inboxes, you have probably noticed an increase in Phishing attempts and everyday SPAM. Everyone has heard of at least one large company report that serveral thousand credit card numbers or customer’s personal information has been stolen. It’s worth noting that one major university here in Ohio experienced it’s third major compromise and data theft event in a couple of months. Try to imagine how important the social security numbers of a couple thousand students might be in the next couple of years. While their credit may not be the best now…imagine 10 years down the road when they are in the workforce heading up departments or entire firms. That information could be very lucrative to the organized crime rings around the world. If I were you, I would expect to continue seeing these types of attacks in the future.

The State of the Threat presentation talks about some of the more fun things going on out on the Internet, such as the threat that is I talk about where to look for the problems your cell phones, PDA’s, Bluetooth devices, and Smart Phones are going to bring into your organizations and homes. I even go into the theoretical threat that RFID tags are going to bring. Anyone get one of those neat chips installed under their skin? It might be infected with a virus. How about the fact that there has been almost a 1700% increase in Instant Messenger attacks over the past year. Do you have bots or botnets? I’d bet my next paycheck that you do, or you will in the near future!!! Any takers?

I can’t forget my favorite fun fact. The Windows System Time To Live is down to 18 minutes. The Windows System TTL is simply the amount of time it takes for an unpatched, unfirewalled Windows box, that is placed on the wild Internet, to become compromised or infected with some sort of malware. That time is 18 minutes. The fun fact, it actually takes longer for a brand new, out of the box, Windows XP Home Edition machine to connect to Windows Update and download all of the hot fixes than it would for it to become compromised.
We will be posting the full presentation on our website at in the next couple of hours. Please check back for the direct link to the presentation.

To Patch or Not To Patch, That is the Question!

Ahhh, the big question of tradeoffs. Do you apply the new Microsoft patch and stop Exchange from working with your Blackberry users or do you risk being compromised and worm infected when attackers release malware based on the vulnerability?

That is a HUGE question for many organizations. Right now, as I write this, several folks are contemplating that very question. Do you take the risk of a breach or keep your users happy? Both have large political fallout issues and long term impacts. Both have highly visible outcomes.

How do you make such a decision? Well, our suggestion is to evaluate the risks to your organization. But, that said, we are risk management folks, and others might not agree. We suggest you evaluate the potential of damage to your business that a compromise or worm infection could cause (perhaps based on your latest risk assessment) and compare that to the losses from having some members of your user population (the Blackberry users) partially unable to access some services in Exchange. Complete the process by converting these risks to real dollar damages to the bottom line and then decide. Of course, don’t forget to include regulatory and reputational damages in the comparison.

For some organizations, who are truly dependent on the Blackberry technology, the case may be that patching is the greater risk. For those organizations with additional controls and security mechanisms to protect their Exchange implementations, the risk may be partially mitigated and thus much less. For most, however, the answer will be to apply the patch. Then the question becomes, how can you explain to users the tradeoff you have been forced to accept?

For those organizations choosing not to patch, be very careful. It is very likely that a widely available target, such as Exchange, would make a ripe target for attackers and worms. Make sure you monitor the systems, networks and log files continually until you can apply the patch.

For those that patch and have to explain the solution to users who won’t be praying the “Blackberry prayer” for a while, be honest, open and up front. The more we explain the ideas of risk management to our users, the better decisions we empower them to make in the future. Awareness truly may be the key to a more secure future for all of us.

ASN.1 Still Alive and Kicking

The ASN.1 Microsoft vulnerability is still alive and well. If you check your IIS logs you probably see this activity on a regular basis. ASN.1 seems to be the Code Red and Nimda of today – it simply just won’t die.

Patches for ASN.1 have been available for quite some time, and the malware using this mechanism to spread is easily identified by proper IDS/IPS and anti-virus rules. With so many easily available options for protecting against it, it seems to be very robust at hanging in there.

Perhaps an organized effort should be arranged through some online forum to identify systems spreading very old malware such as this and to contact the system owners to inform them. Maybe an incident response effort for “aging worms, exploits and malware” or the like.

Any volunteers to head the effort?

Watch for FTP Attacks

As we posted to WatchDog last week, more and more attacks against FTP implementations are likely in the coming weeks. We noticed the release of a new GUI FTP fuzzer and so far it appears to be getting heavy use to find new vulnerabilities in several FTP servers, both commercial and shareware/freeware/open source. New FTP vulnerabilities and exploits are starting to emerge and are very likely to continue.

Admins of FTP servers should pay careful attention to their logs and their vendor information sources for new vulnerabilities and patches. It might also be a good time to make sure you have proper IDS/IPS coverage for all of your FTP servers and network drops.

As new fuzzers get developed and released, we think this might be an interesting precursor to vulnerability patterns. Let us know if you see anything interesting!

More Bots Spell Trouble

For some time now Bots have been growing in importance. They have truly become the most serious infosec threat to networks today. They are insidious, common and borne by some of the easiest to exploit vulnerabilities in many client side applications.

In many cases, organizations have rampant Bot activity inside their networks, though more often than not, they have no idea it is happening until a serious event like a DDoS attack or the like rises to their radar levels. The sad thing is, this is often too late. The attackers may have already gathered tons of data from network scans, sniffing and keyboard logging. They may already have access to the most critical data on the corporate network.

Now it seems that Bot masters have even begun to implement cryptography to better secure the connections between their programs. This helps protect the Bot traffic from discovery, analysis and reverse engineering attempts. It also makes signature matching and other IDS/IPS techniques much more difficult.

As before, the best defense against Bot attacks remains a two fold process. Organizations must implement proper egress filtering, including port blocking, traffic monitoring and analysis and proxy use. User systems simply can not be permitted to directly access the Internet in an unfettered manner in most networks. It is simply too risky.

Secondly, organizations must employ awareness to combat Bot infections. They must teach users of the associated dangers with open surfing, email attachments, instant messaging and peer to peer networks. All of these technologies and behaviors pose significant risk to the network environment – be it small, mid-size or enterprise.

Of course, all of this assumes the basic steps of patching, network firewalling and typical anti-virus/anti-spyware are already in place and functioning. You are doing that, right?